Missing User Warnings
Medium
- Confidence
- 89% confidence
- Finding
- The skill instructs users to store Canva OAuth tokens in `~/.canva/tokens.json` but does not warn that these are sensitive bearer credentials or recommend restrictive file permissions. Local token persistence is common, but undocumented storage of reusable access tokens increases the chance of accidental disclosure through backups, shared machines, or permissive filesystem access.
